CompTIA Security+ SY0-701 Exam Objectives & Domains (2026)
Updated: June 2026 · Read time: 8 min · Level: Beginner
The SY0-701 exam is built from five domains, and CompTIA publishes exactly how much each is worth. Knowing the weightings is the single best way to plan your studying — it tells you where the points are so you don't over-invest in a 12% domain and under-prepare the 28% one. Here's the full breakdown and what each domain actually tests.
The 5 domains at a glance
| # | Domain | Weight |
|---|---|---|
| 1 | General Security Concepts | 12% |
| 2 | Threats, Vulnerabilities & Mitigations | 22% |
| 3 | Security Architecture | 18% |
| 4 | Security Operations | 28% |
| 5 | Security Program Management & Oversight | 20% |
The key insight: Domains 2, 4, and 5 together are 70% of the exam. Security Operations alone is more than a quarter of your score. If your time is limited, that's where it goes.
📄 These weightings are from CompTIA's official SY0-701 objectives. Always download the free official objectives PDF from the CompTIA Security+ page — it lists every sub-topic and is the definitive checklist. Nothing on the exam falls outside it.
What each domain tests
1. General Security Concepts — 12%
The foundation everything else builds on. Expect the core vocabulary and mental models: the CIA triad (confidentiality, integrity, availability), categories and types of security controls, fundamental cryptography concepts (hashing, symmetric vs. asymmetric, PKI, certificates), and change-management practices. Low weight, but skipping it makes the rest harder.
2. Threats, Vulnerabilities & Mitigations — 22%
The "attacks and defenses" domain. Threat actors and their motivations, attack types (malware, social engineering, application and network attacks), common vulnerabilities, and — importantly — the mitigations for each. Questions often give you a scenario and ask you to identify the attack and the right countermeasure.
3. Security Architecture — 18%
Designing things securely. Secure network architecture, cloud and virtualization security, zero trust, data protection (classification, encryption at rest/in transit), and resilience/recovery concepts. This is the "how should it be built" domain.
4. Security Operations — 28% (the big one)
Day-to-day defense, and the largest slice of the exam. Hardening systems, identity and access management, monitoring and log analysis, vulnerability management, incident response, and the security tools you'd actually use. A lot of the performance-based questions draw from here, so practice hands-on.
5. Security Program Management & Oversight — 20%
The governance, risk, and compliance domain. Security policies and frameworks, risk management, compliance and audits, third-party / vendor risk, and security awareness. It's heavy on terminology and definitions rather than hands-on skill — dry, but a fifth of your score, so don't skip it.
How to split your study time
Allocate roughly in proportion to the weightings, then adjust for your weak spots:
- Most time: Security Operations (28%) and Threats/Vulnerabilities (22%) — over half the exam between them.
- Solid time: Program Management (20%) and Security Architecture (18%).
- Least, but don't skip: General Security Concepts (12%) — quick to learn, underpins the rest.
- Throughout: practice the performance-based questions. They appear first, eat time, and reward applied skill over memorization.
For a full week-by-week plan that follows these weightings, see the 8-week study plan in our main Security+ guide.
Is SY0-701 still current?
Yes. SY0-701 (version V7) launched in November 2023 and is the current Security+ exam in 2026. CompTIA refreshes Security+ roughly every three years, so a successor is expected around the time SY0-701 retires. The objectives can also see minor updates within a version — so before you book, confirm you're studying the current version and objectives on comptia.org. Studying outdated objectives is a classic, avoidable mistake.
FAQ
What are the Security+ SY0-701 exam domains? Five: General Security Concepts (12%), Threats/Vulnerabilities & Mitigations (22%), Security Architecture (18%), Security Operations (28%), and Security Program Management & Oversight (20%).
Which Security+ domain is the most heavily weighted? Security Operations, at 28%. With Threats/Vulnerabilities (22%) and Program Management (20%), those three are ~70% of the exam.
Where do I get the official Security+ objectives? A free PDF on CompTIA's official Security+ page. It lists every sub-topic and is the definitive checklist.
Is SY0-701 the current version of Security+? Yes — V7, launched November 2023, current in 2026. Confirm the current version on comptia.org before booking.
How should I split my study time across the domains? Roughly by weighting, with extra focus on weak areas. Prioritize Security Operations and Threats/Vulnerabilities, and practice the performance-based questions throughout.
→ Next: The full Security+ (SY0-701) guide · Is Security+ worth it / salary
Domain names and weightings are from CompTIA's official SY0-701 objectives. CompTIA can revise exam content; confirm the latest objectives on the official site before you study.